Log Review Expert-Enhanced Machine Learning Upgrade
Alert Logic is upgrading the Log Review cases with new machine learning algorithms, which allows Alert Logic to deliver a higher level of security value. The Log Review algorithms can automatically detect many log-based anomaly types based on unique patterns and trends learned from your organization.
The Log Review output consist of anomalies generated from the machine learning based detection that are delivered as information-level incidents in the Incidents page. Alert Logic offers detailed reports of your anomalies generated with the machine learning Log Review algorithms in the evidence tab of the incident investigation report. For more information about the investigation report, see Investigation Report.
Log Review incidents are listed in the Monthly Log Review report. Sections of the Incident Daily Digest report also summarize anomalies raised based on customer-level, host-level, and user-level models.
Alert Logic analysts continue to oversee Log Review incidents, and the Log Review feature continues to meet your log review compliance requirements.
About machine learning based on Log Review process
The machine learning model-based Log Review is fast, efficient, and accurate, which increases the likelihood of detecting most anomalies through log data. The Log Review model can detect more than 100 anomaly scenarios based on time series, location, and unusual names. The machine learning models are computed based on specific logs customers sent to Alert Logic and are based on at least 90 days worth of data. Rule-based analytics can also trigger anomaly detections can also be triggered by rule-based analytics, which allows anomalies to be detected automatically and reliably, based on your patterns and trends.
Log Review examines security-related logs that alert you to potential security issues, and assists with compliance mandates. Log anomalies are automatically raised based on:
- Unusual counts of certain events
- Unique users accessing a host
- Unusual or suspicious user names
- Blacklists
- User preference
Examples of log data that Alert Logic reviews are:
- Windows: Failed logins, changes to privileges, changes to accounts, Active Directory global catalog changes, and others
- Linux: Sudo access, SSH failed logins, switched user common success/fails, and others
- AWS: MFA, security group changes, IAM, EC2, S3 changes, user account and access changes, network control changes, and others
- Azure: Backup, user file access, user login activity, user network security events, OAuth2 grant activity, object access, user role modification activity, service principal activity, user file access, user group modification
The Log Review algorithm then observes and learns patterns and trends, and it automatically tunes itself for more accurate security content.
Log Review models and outcomes
The Log Review is based on three models:
- Customer model: Tracks and learns from log data related to customer activity
- Host model: Tracks and learns from log data related to host changes
- User model: Tracks and learns from log data related to user activity
The Log Review outcomes include anomaly detections based on customer trends, anomalies based on user trends, and anomalies based on host trends. The following are anomalies that Alert Logic uses the following anomalies to generate incidents for all machine learning models:
|
Anomaly |
Description |
|---|---|
|
high-message-count |
A spike in the number of log messages of a given type. |
|
high-sourceuser-count |
A spike in the number of unique source users for a given message type and host. |
|
high-targetuser-count |
A spike in the number of unique target users for a given message type and host. |
|
high-sourcehost-count |
A spike in the number of unique source hosts for a given message type and host or user. |
|
high-targethost-count |
A spike in the number of unique target hosts for a given message type and host or user. |
|
unusual-name |
A user name is different from the normal names encountered. |
|
unusual-location |
A host location is different from the normal locations encountered. |
Alert Logic analysts also generate incidents based on pattern matching and rule-based detection based on your preferences. These include the following Windows administrator activities:
- High log message count for Windows failed login
- High log message count for Windows account changed
- Total message count for Windows account changed
Observations
Alert Logic can note observations in incident investigation reports which provide other relevant security information. Observations identify security patterns and allow you to conduct threat hunting for activity that does not meet the criteria to become an incident, but can still demonstrate security value. The two types of observations are anomaly and suspicious pattern observations.
For anomaly observations, Alert Logic uses the following criteria to make note of this observation:
For high-message-count and high-user-count anomalies, the properties are:
- Expected-count: the count of messages that the anomaly detector expected to see
- Actual-count: the count of messages that the anomaly detector actually saw
For an unusual-location anomaly, the properties are:
- Location: the anomalous location
- Message-count: number of messages with anomalous location
For an unusual-name anomaly, the properties are:
- Name: the anomalous name
- Message-count: number of messages with anomalous location
For suspicious pattern observations, Alert Logic uses the following properties to make note of this observation:
- Message-count: the number of messages that matched the pattern
- Matched-patterns: the values that matched the pattern
Customer model
The (Undefined variable: ALVariables.Log Review feature) customer model includes anomalies based on customer trends of log message types for high overall count.
| Model | Anomaly | Included details |
|---|---|---|
| Customer |
high-message-count |
Customer Target Time range Log source Customer ID and name Message type (parser) Implicated hosts Implicated users Expected count Actual count |
Host model
The (Undefined variable: ALVariables.Log Review feature) host model includes anomalies based on host trends of log message types for high count, unusual location, and unique users.
| Model | Anomaly | Included details |
|---|---|---|
| Host |
high-message-count |
Time range Log source Customer ID and name Message type Host IP/name Implicated users Implicated event details Expected count Actual count |
| Host |
high-sourceuser-count high-targetuser-count |
Time range Log source Customer ID and name Message type Host IP/name Implicated users Implicated event details Expected count Actual count |
| Host |
unusual-location |
Time range Log source Customer ID and name Message type Host IP/name Implicated users Implicated event details Location |
User model
The Log Review user host model includes anomalies based on user trends of log message types for a high overall count, and it includes anomalies regarding unusual names.
| Model | Anomaly | Included details |
|---|---|---|
| User |
unusual-name |
Time range Log source Customer ID and name Message type User name Implicated hosts Implicated event details |
| User |
high-message-count |
Time range Log source Customer ID and name Message type User name Implicated hosts Implicated event details Expected count Actual count |
| User |
high-sourcehost-count high-targethost-count |
Time range Log source Customer ID and name Message type User name Implicated hosts Implicated event details Expected count Actual count |